Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

chicksdaddy writes with news of a remote exploit in Samsung Smart TVs, and a warning for those who got one with a built-in camera. From the article: "The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners' social media credentials and even to spy on those watching the TV using built-in video cameras and microphones. In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ('zero day') hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set."

1984 is the year winston writes in the first diary entry, but he isn't completely certain that that year is accurate.

"He sat back. A sense of complete helplessness had descended upon him. To begin with, he did not know with any certainty that this was 1984. It must be round about that date, since he was fairly sure that his age was thirty-nine, and he believed that he had been born in 1944 or 1945; but it was never possible nowadays to pin down any date within a year or two."

If someone wants to know if I'm home, they can peek through the curtains and determine if that's really me dancing in the living room, or if it's a cardboard cutout moving around on a toy train. Or maybe they can just notice that there are no cars and the lights haven't changed for a while.

Samdung has intentionally put this "feature" into the idiot boxes commonly known as TVs. They want to track the sheeple to sell to advertisers so they can eventually receive a larger profit. Capitalism is all about maximizing profit at the expense of the weak. The solution to all of this is simple, communism. Since there is no profit involved in communism there is no motive for spyware to be added to anything.

Once next years model comes out, firmware updates slow down and eventually cease. Then your smart TV will no longer receive any bug fixes, security updates or enhancements. Compare that to an external device like a Roku that is typically supported for years at a time. When it becomes hopelessly obsolete, you swap the out the box for less than a hundred dollars and have the latest and greatest again.
In the future and we will have the same situation as the rootable Samsung printers. Someone will discover a serious exploit that won't be patched because all those products are at EOL.

Just give me a basic 42-50 inch monitor with speakers, a few HDMI ports and an ATSC tuner. If I want internet functionality, video conferencing or other features, I'll get my own add-on box. And when the software is no longer supported (what makes you think these TV manufacturers want to support this stuff for long), I can dump the box and get a newer one for much less than the cost of a brand new "smart" TV.
To me, the only truly smart TV is one that divorces the advanced functionality from the TV.

To this I would add: act as a pure computer monitor. When I hook up a computer to a TV via a DVI-to-HDMI cable and it looks like crap because of overscan [dreamwidth.org] I get all stabby.

But other than that, yeah, make it as dumb as possible. My parents' TVs lasted DECADES. I don't want to have to get a new one every five years because DivX/Zune Store/PlaysForSure*/Hulu/Netflix is gone.

The problem is the remote. Setting up an add-on HTPC, adding a USB IR remote receiver, then programming a universal remote to operate both it and the TV (and your blu-ray player and cable box) is no problem for tech people like you and me. But the preceding sentence is utter gibberish to the vast majority of people. So a Smart TV which combines the TV with networked HTPC out of the box is attractive to those folks.

In a way, it makes sense. If you take apart a rear projection or LCD HDTV, you'll find

Which they will hopelessly break in a firmware update six months later and then will never get around to fixing before they EOL the product.

TV and Blu-Ray player vendors are truly at the bottom of the barrel when it comes to writing software. To be fair, they always have been, but it just didn't matter as much when devices were dumb as dirt.

I don't remember seeing your earlier post the first time around, but coincidentally I was in the electronics store just yesterday, and I saw one of these Samsung TVs with the marketing junk covered with stuff about the integrated camera/mic. I actually joked with the guy from the store that Samsung had imported someone from north of the border who still thought 1984 was a reference manual. And then today I log onto Slashdot and find this...

I've always been leery about everything wanting to have internet access.

Partly because I don't see any benefit from the features of having my TV connect to the internet, and partly because I don't trust that vendors have any clue about security.

If you're going to run things like this, you should definitely have a firewall to keep the outside world at bay. The fact that Samsung has no fix for this tells me there's probably loads of devices like this which will prove to be insecure.

I've never even plugged my Blu Ray player into the network, and I'm getting close to the point of disconnecting my XBox from the network because I don't use any of the on-line features and the ads which have started showing up in games is annoying.

If you need an internet connection for me to play a game on a console... well, I simply won't buy your product. And I didn't buy the box to be marketed to.

To give an idea of how ridiculous this is, there are currently web-enabled toasters that allow you to take an image off the Internet and burn it into a piece of toast. I'm glad that I'm not the only one thinking "Why would you ever remotely want to do that?" rather than "Cool, I can put pictures on toast!"

LOL, but if you burn an image of Jesus or The Virgin Mary [bbc.co.uk] onto toast you can sell it for a fortune, right?

But, yes, a web-enabled toaster sounds monumentally pointless. As would a fridge, a toilet, a chair, or my stove.

At a certain point, this is just adding internet support for the sake of saying you have it. I'm sure someone out there is going "ZOMG, but it's an internet enabled toaster", and they can spend their money on it -- I on the other hand will stick with the boring old toaster I have now, it ev

Do NOT buy so-called "Smart" TVs. Do you really think this is a "security flaw"? It's a FEATURE, designed to be used by corporations and governments. It just so happened that someone stumbled on it, so they're calling it a "bug".

A modern TV is just a big computer monitor.Many people even have computers attached to them. For those less technically inclined I could see something like this being convenient. Why would I not want to use my nice big TV and sit in the comfort of the couch with my family while we skype with friends and relatives in other locations?

Most Computer monitors these days max out at 1920x1080 which is the same as my TV, TVs go up to 4k. I was not aware my custom HTPC was a crap computer. Is a Core 2 quad not enough, should I go get an i7?

Why would I not want to use my nice big TV and sit in the comfort of the couch with my family while we skype with friends and relatives in other locations?

You might want to use it, but most people aren't Slashdot-reading geeks. I'm told most people don't want a big ugly tower in the living room, a keyboard and mouse that you need to put on a TV tray to launch anything, and all the complexity of maintaining a PC.

I have a computer in an HTPC case in the entertainment center - looks just like the amplifier near it. I use a remote control for almost everything. Once in a while, I get out the mouse and keyboards for maintenance.

But everything - even launching and exiting emulators is done by remote control. Then the wireless controllers are used for playing the emulated games.

Don't bother, tepples will just say "most people" would be confused by an amplifier or a remote with more than 4 buttons or some other silly thing.

True, some people are confused by a remote with more than four buttons, but most people aren't. My point is that most people are unaware of the home theater PC use case because neither TV commercials nor major brick-and-mortar PC sellers promote it. I don't see bundles of a PC and an affordable remote control advertised. I went into a Best Buy, asked about home theater PCs, and was told I could a PlayStation 3 console was a better choice for home entertainment on a TV monitor. This underpromotion has led t

Just make it pretty. I'm planning a new gaming PC for the living room to intimidate the X360 and PS3, and it's going to have all sorts of LED lighting crap in it. It'll look like Christmas every day! Ah, the advantages of being an unloved misanthrope who lives alone!:-)

I'm an odd duck in that I feel KB and mouse are more *accurate*, but I find a dual analog controller more *fun*, so I can just go with my existing X360 controllers. There's menu programs for launching games. Maintaining is no worse than any

The main problem with 'smart' TVs is that you end up with a TV that(barring ghastly shoddiness) will last for several years; but the 'smart' part of it will be lucky to receive a firmware update or two, generally delivered by a team of crack programmers who previous job was providing horribly malformed DDC information...

If it's a discrete computer, or some dinky Roku stick or whatever, you can upgrade it when the streaming service of the month goes out of business, or the manufacturer loses interest in you.

I can definitely understand the HTPC-is-too-much-work position(especially since prebuilt options are rather thin on the ground), I'm just struck by how dire the shit baked in to TVs is even compared to the little $50-$100 puck appliances and streaming boxes.

In magical pony fantasyland, It'd be nice if the TV people could standardize an 'appliance socket' that provides, say, an HDMI port with CEC and a specified amount of power to work with in a defined slide-in chassis size. Then you could still replace the

It's not even the less technically inclined who want it. I would rather have a tv that can do this than a computer whirring away in my living room as it doesn't go with the decor.I am running 9 fullblown computers of various OS in the house (4 in a VM Lab)

Just like they got rid of webcams built into computers when it was found those could be hacked. Oh, wait...

TV is dying, being replaced by computers (I'm including phones that are basically small computers)/the internet as the main source of entertainment. People want streaming, interactiveness, to not have to buy separate devices to do things that can easily be done on one device. (Instead, they want to keep buying the new version of that one device.) Very few people of the main electronics buying ages w

Not happening fast enough, though. I don't even watch a lot of stuff, but I need basic satellite with Tivo, iTunes, and Netflix streaming with 1 DVD out at a time to watch what I want when I want it. If someone could get everything into one account and one interface and 100% streamed I'd be ecstatic.

Just like they got rid of webcams built into computers when it was found those could be hacked. Oh, wait...

Computers generally have a light associated with the webcam that cannot be disabled through software or firmware. And computers tend to be used actively. TVs tend to be used passively, so a light might not be enough to get your attention. Also, webcams on computers are at least moderately useful. Webcams on TVs are not, unless you want to be tethered to a single room while using video chat or some

Well, that's the end of that pointless, stupid feature if they ever want to sell another TV again. If you want to watch TV, watch TV. If you want to web chat on skype and stuff, get a real computer. That actually was the solution the whole, Samsung's marketing department just didn't know it apparently.

Except well, computers are hard. This you can get your grandparents as a gift, then gather the family around the TV to say hello (rather than a cramped laptop where no one can fit their head entirely in the sc

No Windows or Macs in my house, and wireless is on its own separate net. The internet goes through a Sonicwall. They're full of crap if they think they're going to get anything out of my TV without physically breaking into the house.

I see postl ike that, it makes me pine for the days when I did security work. I would here shit like that from people in all kinds of environment. Then and them a stack of account numbers, or a video of my updating their firmware version from my car.

More critically: there is no independent software update capability, meaning that, barring a firmware update from Samsung, the exploitable hole can’t be patched without “voiding the device’s warranty and using other exploits,” ReVuln said.

In other words, there is a software update capability, it's just not an independent one (whatever that means).

Your not fixing the engineering behind it, you replacing a defective part dummy!

A) Coding != Engineering. Otherwise CIS degrees would have an "E" in there somewhere. Not to mention, if patching defective code is not analogous to replacing defective car parts, I don't know what analogous is (Hint: I do).

B) Even if it coding did == engineering, that doesn't fix the logical flaw in OP's reasoning. Heck, if anything, it makes him seem that much more of an elitist prick, expecting everyone who owns a TV to understand how it's engineered.

Not only is your point entirely fair, but the GP post was optimistic anyway. If this device is network enabled for legitimate reasons (streaming catch-up TV services, say) but also phones home for firmware updates and/or permits installable apps that actually change the software running internally, that's going to be non-trivial to firewall against abuse even if you have some idea what you're doing.

Put me in the camp that wants a TV to be a TV, without including an ad hoc, informally-specified, bug-ridden,

I read it that way initially and nearly wrote off the comment, but then I thought about it further. TVs could contain cable modems, but it isn't necessary. They're decoding digital data streams all day. Half the buffer overflow exploits I've seen in the past few years have involved image/video decompression, usually in the area of embedded tag parsing or some other similarly esoteric bit of functionality. Within a DVB bitstream, you have lots of side channels for things like program listings, CC data, etc. Any code that works with any of those pieces of data could contain bugs. And then some portion of your TV is 0wn3d.

Although the notion that such backdoors are intentional seems a little paranoid, the GP actually makes a good point about TVs being complex digital devices with no real firewall between them and potentially malicious data streams. The fact that there's no middleman for the malicious data—anybody anywhere on your local loop could potentially overpower the legitimate data and provide malicious data in its place—is just the icing on the cake.

That said, attacking smart TVs over the Internet (after exploiting bugs in the firewall) is probably a more straightforward attack approach. Network-attached smart TVs with cameras and any sort of network connectivity are pretty much a porno video waiting to happen. Anybody who says otherwise is kidding him/herself.

If you're just using it for control purposes, it is possible to do so in a way that is relatively safe. Use two separate computers—one containing the DSP hardware and access to the camera, providing as its output only a series of control messages containing gesture events, and a second one that is the actual Internet-connected brain. Make sure the camera-connected device accepts only signed firmware updates.

If the Internet-connected device needs access to the camera, though, you're pretty much at t

Well that still applies here too. But many people do have something they want to hide when they're in their own home. Because walking around naked, getting it on with your sig other, picking your nose and eating it, are all activities you can freely do in your own home because you're not exposing those activities to others. People do things in their home that they wouldn't do if other people were watching them. Not because it's a crime though...